The White List, the Black List, and the Grey List

By Amrit Williams, Chief Technical Officer, BigFix, Inc.

Most organisations believe they have a fairly clear picture of how their enterprise network is configured and the devices attached to it. When it comes to identifying rogue assets, itís usually a matter of white or black. Whitelisted assets are clearly inventoried and actively managed by the enterprise. Blacklisted assets can include virus-infected computers or machines that may pose no overt harm, but do not conform to the enterprise security dress code.

IT departments must now also deal with a third class of network assets, greylisted devices. Greylisted devices are usually brought into an organisation by employees and used to perform legitimate work. They often tend to be consumer products that users believe are faster, easier to use, and generally more advanced than standard equipment issued by the enterprise.

For many end users, it can be a painful experience to use a three-year-old computer when they believe that performance of currently available equipment has quadrupled since their office PCís purchase date. On the software side, users might ask why they should put up with stodgy email when they really want to exchange text messages. And if 70 percent of their hard disks are empty, why not fill that space with MP3 files or wedding photos?

Many IT managers would argue that managing greylisted assets is easyósimply ban them from the infrastructure. But itís not that simple. End user claims of improved productivity might have an element of truth in them. Secondly, the cost of alienating younger workers may be too high. Finally, technology that end users bring with them is very often technology that their organisation doesnít have to buy. Like it or not, greylisted assets need to be factored into IT management programs

Visibility a Prerequisite
Real-time visibility into assets, software and activities inside an infrastructure is the primary prerequisite for getting a handle on the greylisted assets problem. After all, how can you manage what you donít see?

Visibility must extend to greylisted assetsí configurations and their actions on the network. Itís not enough to know that a non-standard PC has just logged on. You also need to know what software the machine runs, and whether it is running any processes that could disrupt the infrastructure.

Managing Assets or Processes?
As IT managers have less control over the kinds of devices that play on their networks, the question becomes less about managing tangible assets and more about protecting information and controlling processes. This argues for a policy-driven approach to information security management that encompasses both conditions and actions. Policy can be an all-encompassing term that can specify conditionsóëOur policy is that all Windows XP devices should have the latest Microsoft patchesíóor processesóëWe forbid transfer of documents containing credit card numbers to USB drives.í

Policies also have the advantage of a preemptive bias rather than a reactive one. A policy is a higher-level description of a positive result that may be accomplished through a number of associated automated decisions about eligibility (ëDoes this PC really need this patch?í) and execution (ëIf yes, load patch, restart machine, confirm configuration, report back.í)

The Bottom Line
Itís a clich to say that the IT security threat environment is evolving faster and becoming more dangerous. With the proliferation of greylisted devices, IT infrastructure security and configuration management is also becoming more ambiguous. The issues are progressively moving away from questions of black and white to shades of grey. As this occurs, managers should focus on policy-based approaches to managing what happens to information rather than fending off individual threats to the integrity of hardware or software assets.

BigFix, Inc. is exhibiting at Infosecurity Europe 2008, Europeís number one dedicated Information security event. Now in its 13th year, the show continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 11,700 visitors from every segment of the industry. Held on the 22nd ñ 24th April 2008 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security.

By Amrit Williams, Chief Technical Officer, BigFix, Inc.